Re: [clamav-users] Malwarepatrol false positives

[Vincent Fox]

I've had to exempt 4 MBL sigs in 24 hours.  Where's the QC?

I'm on a knife edge about just dropping MBL.



From: clamav-users  on behalf of Alex 

Sent: Friday, April 27, 2018 8:22:05 PM
To: ClamAV users ML
Subject: [clamav-users] Malwarepatrol false positives

Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

$ sigtool --find-sigs MBL_6888621 | sigtool --decode-sigs
VIRUS NAME: MBL_6888621
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://goo.gl

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.

I've reported this to them hours ago and still no update so wanted to
be sure people knew about it here.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1

[Vincent Fox]

Hi,

Getting hits today on this entry in daily.cld.

[root@smtp1 clamav]# sigtool --find-sigs 
Ppt.Exploit.CVE_2017_0199-6336815-1|sigtool --decode-sigs
VIRUS NAME: Ppt.Exploit.CVE_2017_0199-6336815-1
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
schemas.openxmlformats.org/officedocument{WILDCARD_ANY_STRING(LENGTH<=500)}script:

Thanks!



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

[Vincent Fox]

>Does anyone think it's reasonable/acceptable to block all macros in
>any sizable organization?

Yes.

We are 2-4 million messages/day, dunno if that is "sizable" to you.



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

[Vincent Fox]

On 10/06/2014 08:32 AM, Webmaster wrote:

Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit :

If you think it needs to be quicker, then maybe you could volunteer your
time to help with the analysis (I'm not sure how you'd go about this)

Or use this :

https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

It rises Clamav detection rate up to 80% on 0-day malwares.



Speaking of SecuriteInfo, is the High Risk label deserved
for the spam_marketing signatures?  Have used all the others
in the Securite list but that one.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] signature that penalizes for line length?

[Vincent Fox]

Hi,

We use ClamAV, and I have noticed a certain class of spam hitting us lately
that has VERY long final lines of garbage text.

The reason I noticed it was the length exceeds 2048 characters, which trips
a problem in POP3 client downloads.

Anyhow is there any signature that can be used to score and penalize
text/plain messages with excessively long lines?

Thanks!

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] signature that penalizes for line length?

[Vincent Fox]

It's late and I should have thought this through better.
Thanks!

On 6/14/2014 1:05 AM, Al Varnell wrote:

In general terms, ClamAV® looks for malware and not spam.  There are some additional 
“unofficial” signature databases that can be subscribed to and work with the ClamAV® 
scan engine, so I suggest taking a look at Sanesecurity 
http://sanesecurity.com to see if they have what you need.

Steve runs things there and subscribes to this list so will probably have some 
more specific knowledge.

-Al-

On Sat, Jun 14, 2014 at 12:56 AM, Vincent Fox wrote:

Hi,

We use ClamAV, and I have noticed a certain class of spam hitting us lately
that has VERY long final lines of garbage text.

The reason I noticed it was the length exceeds 2048 characters, which trips
a problem in POP3 client downloads.

Anyhow is there any signature that can be used to score and penalize
text/plain messages with excessively long lines?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file

[Vincent Fox]

On 4/8/2014 8:12 PM, Carl Brewer wrote:

On 13/02/2014 8:48 PM, Sim wrote:

Hello!
In the last weeks/months the unrecognized virus are increasingly 
exponentially

(not only for Clamav but for all antivirus).
My idea is block all EXE/SRC (also into ZIP/RAR).
Executing clamscan --debug filename I can see:

- LibClamAV debug: Recognized MS-EXE/DLL file
- Section contains executable code

Which is the best solution/way to block all EXE/executable files?


If it's on a mail server, why not use the MTA to block it?

We use the signature database Foxhole_all.
After a ransomware (Cryptolocker) outbreak unfortunately.
That covers most dangerous types inside ZIP, RAR.



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

[Vincent Fox]

Comment about this feature, which I've never turned on before.

I flipped it on, for a single mail router in a pool of 9.  Over the 
course of a day

and MANY messages, it tripped for only 4 messages, all of which seem legit.

So I'm turning it back off.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Vincent Fox]

On 8/13/2013 9:46 PM, Matt Olney wrote:

OK...I'll do some testing tomorrow and see if we can't come up with some
information for you.

Mainly I want MX pool heavy on signatures.  I tested shorter list on 
SMTP pool:


ss_dbs=
   blurl.ndb
   bofhland_malware_URL.ndb
   bofhland_phishing_URL.ndb
   junk.ndb
   jurlbl.ndb
   jurlbla.ndb
   lott.ndb
   phish.ndb
   phishtank.ndb
   rogue.hdb
   sanesecurity.ftm
   scam.ndb
   sigwhitelist.ign2
   spam.ldb
   spamimg.hdb
   winnow_malware.hdb
   winnow_phish_complete_url.ndb


Which got it back down to about 30 seconds.  There are 3 signatures that
seem a large drag on startup:  bofhland cracked, scamnailer, and 
securiteinfo


Thanks!


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Vincent Fox]

On 8/14/2013 7:58 AM, G.W. Haywood wrote:

Hi there,

On Wed, 14 Aug 2013, Vincent Fox wrote:

Re: clamd taking too long to restart?


Previously I was using a short list of signatures and startup time of 30
seconds which was acceptable.  Well it didn't get noticed much.

However recently I added a kitchen sink of extra databases like 
winnow etc.

Now startup time is 2.5 minutes, which becomes noticeable.


The kitchen sink of databases is very useful, I see more trash being
caught by them than I see viruses being caught by main and daily.


Actually the vast bulk of the problem seems to come from bofhland 
Cracked URL.

Removing that database on my SMTP servers, cut restart time to 34 seconds.




Any way to ameliorate this?


Are you using separate processes on each VM?  If so you might want to
consider using only one of them to run a clamd daemon, and have the
others contact it for the service.  You could conceivably arrange the
clamd daemon to be able to run on any one of the VMs, and then one of
them could be providing the service while another was restarted when
necessary.  When the newly started clamd is ready, switching from one
network connection to another will be very quick.

You could instead do something similar, but set up another two VMs to
provide the clamd service.  Then you could stop the whole VM when it
isn't being used to provide the clamd service, saving resources. The
VMs which provide clamd could be stripped down so that they're small
and use minimal resources.  I would guess that 200M-300M of RAM and a
gigabyte of disc space would be plenty for one of the VMs, all it will
ever really do is run a few regex matches.


Hmmm yes.

We originally had a pool of mail routers, talking to a pool of ClamAV 
machines.

Hardware load balancer made things resilient.

However for simplicity of management we collapsed things down so each mail
router talked to it's localhost copy of ClamAV. It also allows 
differentiation, you can
easily have differing ClamAV databases for MX, SMTP, MSA hosts.   I see 
now how this
led to this particular problem, as the moment sendmail can't contact 
it's oneonly
ClamAV it starts throwing errors.  Stupid of me to overlook this 
deficiency before.


With LDAP clients I can define a failover list on a host, so if it can't 
contact it's

primary server it goes to next one.  Perhaps something like that here?

Thanks for pointing this out.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] clamd taking too long to restart?

[Vincent Fox]

Hi,

Previously I was using a short list of signatures and startup time of 30 
seconds

which was acceptable.  Well it didn't get noticed much.

However recently I added a kitchen sink of extra databases like winnow etc.
Now startup time is 2.5 minutes, which becomes noticeable.

Any way to ameliorate this?


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Vincent Fox]

On 8/13/2013 8:49 PM, Matt Olney wrote:

Sowhat qualifies as a kitchen sink-load?



Most everything that SaneSecurity hosts that is low or medium risk:

ss_dbs=
   blurl.ndb
   bofhland_cracked_URL.ndb
   bofhland_malware_URL.ndb
   bofhland_phishing_URL.ndb
   bofhland_malware_attach.hdb
   crdfam.clamav.hdb
   junk.ndb
   jurlbl.ndb
   jurlbla.ndb
   lott.ndb
   phish.ndb
   phishtank.ndb
   porcupine.ndb
   rogue.hdb
   sanesecurity.ftm
   sigwhitelist.ign2
   scam.ndb
   scamnailer.ndb
   spam.ldb
   spamimg.hdb
   spamattach.hdb
   spear.ndb
   spearl.ndb
   winnow.attachments.hdb
   winnow_bad_cw.hdb
   winnow.complex.patterns.ldb
   winnow_extended_malware.hdb
   winnow_extended_malware_links.ndb
   winnow_malware.hdb
   winnow_malware_links.ndb
   winnow_phish_complete_url.ndb
   winnow_spam_complete.ndb

si_dbs=
   securiteinfoelf.hdb
   securiteinfosh.hdb
   securiteinfopdf.hdb
   securiteinfooffice.hdb
   securiteinfohtml.hdb
   securiteinfodos.hdb
   securiteinfobat.hdb
   securiteinfo.hdb

mbl_dbs=
   mbl.ndb


My mail routers are VM's and not the fastest things around but neither
are they 486's pulled from a scrap heap:

[root@msa3 etc]# grep name /proc/cpuinfo
model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
[root@msa3 etc]# grep MemTotal /proc/mem*
MemTotal:8057768 kB


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] n00b question: signatures enabled?

[Vincent Fox]

Hi,

I've been puzzling over a ClamAV installation I was handed.

Is there an easy way to verify which signatures are being loaded/used?

It's not clear to me, where you go to enable/disable signatures.
I see quite a lot of signatures being downloaded by freshclam and/or
the unofficial-sigs.sh jobs.  However I don't see evidence in my maillogs
of hits on more than 6 of them.  We have fairly busy mail routers so
I'd expect to hit on some of the others at least once a day.

I hunted around on Wiki/FAQ and web searches couldn't find an
answer to this.


Thanks!

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] n00b question: signatures enabled?

[Vincent Fox]

Found the answer to part of my question with:

clamconf -n

I still have a problem that previous admin was downloading
lots of unofficial signatures, to a place that clamd isn't paying
any attention to.  Working on that part.

Thanks!

On 07/26/2013 12:44 PM, Vincent Fox wrote:

Hi,

I've been puzzling over a ClamAV installation I was handed.

Is there an easy way to verify which signatures are being loaded/used?

It's not clear to me, where you go to enable/disable signatures.
I see quite a lot of signatures being downloaded by freshclam and/or
the unofficial-sigs.sh jobs.  However I don't see evidence in my maillogs
of hits on more than 6 of them.  We have fairly busy mail routers so
I'd expect to hit on some of the others at least once a day.

I hunted around on Wiki/FAQ and web searches couldn't find an
answer to this.


Thanks!



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] What happened to 12663 ?

[Vincent Fox]

On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote:

On the other hand, since you haven't updated ClamAV in over a year, leading to 
(significantly) decreased detection, maybe the scanning of email isn't top 
priority, and your mail scanning engine needs to fallback to letting mail 
through on scan errors.


Forgive me for this but

3-4 days after v0.97 is released, v0.95 is considered obsolete and
no longer worth testing databases for.  However, I don't see that an
announcement went out to this effect.  And in fact, when you follow
the OUTDATED link in the software it mentions 0.94.  If you want to
consider 0.95 series EOL please update.

The test database feature seems plenty reason to upgrade without
beating us over the head about what slackers we are.  For some of us
though it means compiling and deploying to production which carries
it's own overhead that may be more than a need it fixed NOW
as management wrings its hands.  We disabled freshclam and kept
running an older database instead.






___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml